[Mailman-Developers] Remediation for fake member creation
Stephen J. Turnbull
turnbull.stephen.fw at u.tsukuba.ac.jp
Wed Aug 24 05:34:01 EDT 2016
Franck Martin writes:
> Can't you send the email subscription request to moderation before
> the email confirmation is sent?
The option "subscription needs approval" is available, and I use it
for my student lists, etc. They're closed lists initially populated
with "mass subscribe", but students often want to use cellphone or
webmail addresses in addition to or in preference to their university
addresses. In general, if the moderator knows the users well, there's
often no point in confirmation. Eg, in my case I've almost always
received personal mail from the address (it's preferred, or at least
frequently used) in question if the student is on my list, so I know
it's theirs.
There is also an option "confirm and approve". I believe it means
"confirm, *then* approve", and I think that's the right order. First,
it prevents an attack on the moderator using faked addresses, and
makes it a lot more expensive to attack the moderator with real
addresses. I have seen such attacks on occasion for going on 25 years
now; it's not a nightmare, it's a real problem.
Second, moderators are a scarce resource. In many cases the moderator
will need to follow up out of band (for example, I recently subscribed
to a closed list, and the moderator texted me on Telegram to make sure
it was me). In that case, either way the "victim" has to deal with an
additional contact -- we can't save them the effort, we can only
reduce load for the moderator by asking the user to confirm first.
Then if the user drops it on the floor, the moderator has no work to
do. Of course there would be cases where the moderator would refuse
the request before confirmation, but I think that would depend on the
moderator knowing that there were attacks via her list. On balance, I
strongly favor protecting the moderator here.
Finally, for open lists, which currently are configured confirm-only,
I don't see how the moderators would have any idea whether it was a
legitimate request or an attack, unless it was repeated to the same
list -- and even then it would have to be a memorable address.
Bottom line: I see no reason to default "needs approval" on for
Mailman as we distribute it, unless we discover that "moderator knows
subscribers" is by far the most common case. cPanel might think
otherwise for their user base, I don't know. But not the typical open
source project or discussion list, which I believe is by far the
majority of non-cPanel (etc) Mailman lists. And the option is always
available to turn on if you realize your list is being abused that
way.
Steve
More information about the Mailman-Developers
mailing list